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REMARKS 

Claims 1-12, 16-22, 26-32 and 36-39 are pending in the present application. Claims 13- 
15, 23-25 and 33-35 were canceled; claims 18, 28 and 38 were amended; and no claims 
were added. Reconsideration of the claims is respectfully requested. 

L 35 U,S,C. S 103. Obvionsness. Claims 1-10. 12. 20, 22. 30 aod 32 

The Examiner has rejected claims I-IO, 12, 20, 22, 30 and 32 under 35 U.S.C. § 
1 03 as being unpatentable over Amold et al (5440723) (hereiDaftcr "Arnold'') in view of 
ServerWatch - Network Associates Ships CyberCop Sting (hereinafter "ServerWatch"). 
This rejection is respectfully traversed. 

As to claims 1-10 J. 2, 20, 22, 30 and 32, the OfRce Action states: 

With respect to Claim 1, Amold et al meets the limitation of "a 
local server" on Fig. 1 A; and "a plurality of client data processing 
systems" on Fig. IB; and ..broadcasts an indication that a virus attack is 
underway to all devices within the network data processing system" on 
column 2, lines 30-33, column 24, lines 32-42; and "ignores all further 
access requests by the offending system until receiving an indication that 
the offending system has been disinfected, and directs the local server to 
discoxmect the offending system from the network data processing 
system" on column 5^ lines 59-65, and on column 24. lines 44-57. Arnold 
however does not meet the following limitation. 

The limitation of "a bait server, wherein the bait server monitors 
itself and, responsive to an attempt from an offending system within the 
network data processing system to access the bail server" is met by 
ServerWatch on pages I and 2. 

It would have been obvious to combine the teachings of 
ServerWatch within the system of Arnold et al because the bai l server 
provides a dedicated, convenient and less expensive way of monitoring a 
large network. A dedicated bait server requires less maintenance than 
multiple decoy programs/servers and hence simplifies an administrator's 
job of protecting the network. It is obvious to ignore all fiiOrther access 
requests from the offending system, until the infected system is uninfected 
so as not to spread the virus to the rest of the network. 

Office Action dated October 5, 2004, page 1. 

A fundamental notion of patent law is the concept that invention lies in the new 
combination of old elements. Therefore, a rule that every invention could be rejected as 



Page 9 of 24 
Chcfalas et al. - 09/829,761 



PA(^ 1 1)26 ^ RCVD AT 115/2005 2:24:07 PM [Eastern 



01/85/2005 13:21 9723857766 



YEE & ASSOCIATES 



PAGE 12 



obvious by merely locating each element of the invention in the prior art and combining 
the references to formulate an obviousness rejection is inconsistent with the very nature 
of "invention." Consequently, a rule exists that a combination of references made to 
establish a prima facie case of obviousness must be supported by some teaching, 
suggestion, or incentive contained in the prior art which would have led one of ordinary 
skill in the art to make the claimed invention. 

The Examiner bears the burden of establishing a prima facie case of obviousness 
based on the prior art when rejecting claims under 35 U.S.C § 1 03. In re Fritch, 972 
F.2d 1260, 23 U.S.P.Q,2d 1780 (Fed. Qr. 1992). 

Additionally, in comparing Arnold and Servcrwatch to the claimed invention, the 
claim limitations of the presently claimed invention may not be ignored in an 
obviousness determination. 

The present invention, in independent claim 1, recites: 

1. A network data processing system for identifying, locating, and 
deleting viruses, comprising: 
a local server; 

a plurality of client data processing systems; and 
a bait server, wherein 

the bait server monitors itself and, responsive to an attempt from 
an offending system within the network data processing system to access 
the bait server, the bait ser\'er broadcasts an indication that a virus attack is 
underway to all devices within the network data processing system, 
ignores all further access requests by the offending system until receiving 
an indication that the offending system has been disinfected, and directs 
the local server to disconnect the offending system from the network data 
processing system. 

Arnold docs not teach the feature of "directs the local server to disconnect the 
offending system from the network data processing system." The Examiner points to 
column 5, lines 59-65 and column 24. lines 44-57 of Arnold as teaching this feature: 

If the anomaly is found to be due to a known virus or some slight 
alteration of it^ the method proceeds to Step Bl where the user is alerted, 
and the virus removed (killed) by traditional methods, such as restoration 
from backup (either automatically or manually by the user) or disinfection 
(removal of the virus from, all of the sofhvare it has infected,) In general. 
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disinfection is only acceptable if the virus is found to be an exact copy of a 
known virus. This iinplies that the system verify the identification tnade 
by the virus scanner. 

If VIRSCAN (Block 0) has identified one or more infected files, an 
attempt is made to restore each infected file to an uninfected condition. 
VERV is capable of removing many of tbe most common viruses from 
infected files by determining whether the virus is an exact copy of one that 
it is capable of removing. If so, VERV removes the virus. If the virus 
cannot be removed by VERV, an automatic restore fi^om a tape backup or 
fi-om a read-only directory on a server, or from another machine on the 
network is attempted. Tf an automatic restoration of the infected fi le cannot 
be accomplished, the user receives a message describing the simation, 
with instructions for manually restoring the file from backup. 

Neither of the above cited passages teaches the feature of 'Mirccts the local server 
to disconnect the offending system ftom the network data processing system." The first 
cited passage, column 5, lines 59-65, teaches that when a virus is found, the user is 
alerted and an attempt is made to eliminate the virus. The second cited passage, column 
24, lines 44-57, teaches that once a virus has been detected VERV tries to eliminate the 
virus. If VERV is unsuccessful, then an automatic restoration of backup files is 
attempted. If that fails, a message is generated and sent to the user, mstmcting the user to 
manually restore the files from backup. Neither passage, when read separately or 
together, teaches the feamre of "directs the local server to disconnect the offending 
system firom the network data processing system." Therefore, the proposed combination 
does not result in the claimed invention. Accordingly, the Examiner has failed to state a 
prima facie case of obviousness. 

Furthermore, nowhere does Arnold teach or suggest the feature of "directs the 
local server to disconnect the offending system from the network data processing 
system." Arnold describes a process whereby, when a virus is detected, other computers 
are notified. This notification does not include any instmctions to "disconnect the 
offending system from the network data processing system." Instead, Arnold teaches that 
this signal, the kill signal, merely contains information and is intended primarily to 
inform, neighboring computers of an anomaly existing and secondarily to induce them to 
begin their own virus protection routines, as explained in a passage in column 19, line 58 
through column 20, line 1 1 : 
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The kill signal may take a variety of forms and provide as little or 
a$ much information as is appropriate or practical. For example, in one 
embodiment the infected computer simply sends an "I'm infected" signal 
(one bit of inform ation) to its neighbor(s) whenever it enters Step B (Scan 
for Known Viruses), thereby inducing all of the neighbors to also enter 
Step B themselves. In another embodiment, the infected computer sends 
an "I'm itifected'* signal after it has cleaned itself up (completed Step B 
successfully), and also sends the name of the virus (if it was previously 
known) and its signature($), whether the virus was previously known, or 
not. The signaturc(s) may have been determined in Step E. In a further 
embodiment, the j.nfected computer sends an "Fm infected" signal when it 
enters Step CI. i.e., after it fails to identify the anomaly as a known virus, 
thereby inducing its neighbors to enter Steps B and C. Other strategies 
may also be used, other than those specifically detailed above. In all cases, 
the end result is that other computers on the network are alerted to the 
presence of an anomaly, which may be a known or an unknown virus, 
within the network. 

Thus, nowhere does Arnold teach or suggest the feature of "directs the local server to 
disconnect the offending system from the network data processing system." Therefore, 
the proposed combination does not result in the claimed invention. Accordingly, the 
Examiner has failed to state a prima facie case of obviousness. 

Additionally, Arnold does not teach or suggest the feature "i gnores all jfurther 
access requests by the offending system until receiving an indication that the offending 
system has been disinfected." The Examiner points to column 5, lines 59-65 and column 
24, lines 44-57 of Arnold, cited above, as teaching this feature. As was discussed above, 
the first cited passage, teaches that when a vims is found, the user is alerted and an 
attempt is made to eliminate the vims. The second cited passage, teaches that once a vims 
has been detected VERV tries to ehminate the virus. If VERV is unsuccessful, then an 
automatic restoration of backup files is attempted. If that fails, a message is generated and 
sent to the user, instmcting the user to manually restore the files from, backup. Neither 
passage, when read separately or together, teaches the feature of "ignores all further 
access requests by the offending system until receiving an indication that the offending 
system has been disinfected." Therefore, the proposed combination does not result in the 
claimed invention. Accordingly, the Examiner has failed to state a prima facie case of 
obviousness. 
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Furthermore, nowhere does Arnold teach the feature of ^Ignores all further access 
requests by the offending system until receiving an indication that the offending system 
has been disinfected." Instead, as can be seen in the above cited passage, column 1.9, line 
58 through column 20, line 1 1 , Arnold teaches that the infected system can continue 
interacting with the rest of the network as shown by several embodiments in which the 
infected computer sends information to other computers prior to the infected computer's 
being cleaned of the virus. Thus, nowhere does Arnold teach or suggest the feature of 
"ignores all further access requests by the offending system until receiving an indication 
that the offending system has been, disinfected/' Therefore, the proposed combination 
docs not result in the claimed invention. Accordingly, the Examiner has failed to state a 
prima facie case of obviousness. 

Furthermore, Scrverw^atch does not cure the deficiencies of Arnold, Scrverwatch 
does not teach the features missing from Arnold, including "ignores all further access 
requests by the offetiding system, until receiving an indication that the offending system 
has been disinfected and directs the local server to disconnect the offending system from 
the network data processing system. " nor does the Examiner cite any portion of 
ServerWatch that teaches these features. Therefore, the proposed combination does not 
result in the claimed invention. Accordingly, the Examiner has failed to state a prima 
facie case of obviousness. 

Therefore, for all the reasons stated above, AppUcants believe that the cited 
references do not teach all the features of independent claim 1. Therefore, the proposed 
combination does not result in the claimed invention. Accordingly, the Examiner has 
failed to state a prima facie case of obviousness. Accordingly, Applicants respectfully 
submit that claim 1 is patentable over the Arnold and Scrverwatch references. 

The present invention, in independent claim 1 0, which is representative of 
independent claims 20 and 30 with regard to sitnilarly recited subject matter, recites:: 

10. A method for detecting the presence of a computer virus, the 
method comprising; 

receiving, at a bait server, a request to perform a function on the 
bait server; 

identifying an offending system from which the request originated; 
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alerting a local senrer that a virus attack is in progress and of the 
identity of the offending system; and 

directing the local server to disconnect the offending system from 

the network. 

Arnold docs not teach the feature of "directing the local server to discontiect the 
offending system from the network.'' The Examiner points to column 19, line 60 through 
column 20, line 3, reproduced above, as teaching this feature. As was discussed above in 
the rejection of claim 1 , column 19, line 60 through column 20, line 3 does not teach this 
feature. Instead, the cited passage teaches that the kill signal merely contains infonnation 
and is intended primarily to inform neighboring computers of an anomaly existing and 
secondarily to induce them to begin their own virus protection routines. This notification 
does not include any instructions to "disconnect the offending system from the network." 
Thus, nowhere does Arnold teach or suggest the feature of "directing the local server to 
disconnect the offending system from the network." Therefore, the proposed combination 
does not result in the claimed invention. Accordingly, the Examiner has failed to state a 
prima facie case of obviousness. 

Fiuthermore, ServerWatch does not cure the deficiencies of Arnold- ServerWatch 
does not teach the feature missing from Arnold, "directing the local server to disconnect 
the offending system from the network,"" nor does the Examiner cite any portion of 
ServerWatch that teaches this feature. Therefore, the proposed combination does not 
result in the claimed invention. Accordingly, the Examiner has failed to state r prima 
facie case of obviousness. 

Therefore^ for all the reasons stated above, Applicants believe that the cited 
references do not teach all the features of independent claims 10, 20 and 30, Therefore, the 
proposed combination does not result in the claimed invention. Accordingly, the 
Examiner has failed to state a prima facie case of obviousness. Accordingly, Applicants 
respectfiilly submit that claims 10, 20 and 30 are patentable over the Arnold and 
ServerWatch references. 

Claims 2-9, 12, 22 and 32 are dependent claims that depend from independent 
claims 1, 10, 20 and 30. As Applicants have already demonstrated that independent 
claims 1 , 10, 20 and 30 are patentable over the Arnold and ServerWatch references. 
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Applicants submit that dependent claims 2-9, 12, 22 and 32 are patentable over the 
Arnold and Scrvxrwatch references at least by virtue of depending from an allowable 
claim. Consequently, Applicants respectfully submit that the rejection of claims 2-9, 12, 
22 and 32 have been overcome. Additionally, several claims recite other additional 
combinations of features not suggested by the Arnold and ServerWatch references. 

For example, regarding claim 2, the Examiner concedes, and Applicants agree, 
that Arnold does not teach the feature of ''wherein the address of the bait server is not 
pubhshed to the plurality of client data processing systems." However, Scrvcnvatch does 
not teach this feature either. The Examiner points to page 1 of ServerWatch as teaching 
this feature. The Examiner has stated that *'[t]hi5 is because the decoy server creates a 
fictitious presence within the network/* However, just because the ServerWatch product 
creates a fictitious presence, it does not necessarily follow that the address of the server is 
"not published to the plurality of client data processing systems." What the Serv^envatch 
advertisement states is: 



Network Associates, Inc, today announced the availability of its CyberCop 
Sting software, a new ''decoy*' server that silently traces and tracks 
hackers, recording and reporting all intrusive activity to security 
administrators. CyberCop Sting is a component of the CyberCop intrusion 
protection software family which also includes CyberCop Monitor, a real- 
time intrusion detection application that monitors critical systems and 
networks for signs of attack and CyberCop Scanner, a network 
vulnerability scanner. 

CyberCop Sting allows TS managers to silently monitor suspicious activity 
on their corporate network and identify potential problems. It operates by 
creating a series of fictitious corporate systems on a specially outfitted 
server that combines moderate security protection with sophisticated 
monitoring technology. The Sting product creates a decoy, virtual TCP/IP 
network on a single server or workstation and can simulate a network 
containing several different types of network devices, including Windows 
NT servers, Unix servers and routers. Each virtual network device has a 
real IP address and can receive and send genuine-looking packets from 
and to the larger network enviromncnt. Each virtual network node can also 
run simulated daemons, such as finger and FTP, to further emulate the 
activity of a genuine system and avoid suspicion by would-be intruders. 
While watching all traffic destined to hosts in its virtual network, Sting 
performs IP fragmentation reassembly and TCP stream reassembly on the 
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packets destined to these hosts, convincing snoopers of the legitimacy of 
the secret network they've discovered. 

CyberCop Sting provides a number of benefits for security administrators, 
including: 

• Detection of suspicious activity inside network; Log files serve to alert 
administrators to potential attackers prying into reserved areas. 

• Virtual decoy network can contain multiple "hosts" without the expense 
and maintenance that real systems require. 

• CyberCop Stj.ng software's virtual hosts return realistic packet 
information. 

• CyberCop Sting logs snooper activity immediately, so collection of 
information about potential attackers can occur before they leave. 

• CyberCop Sting requires very little file space but creates a sophisticated 
virtual netv^'ork. 

Netvv'ork Associates' CyberCop Intrusion Protection suite is a collection of 
integrated security tools developed to provide network risk assessment 
scanning (Scanner), teal-time intrusion monitoring (Monitor) and decoy 
trace-and -track capabilities (Sting) to enhance the security and 
survivability of enteiprise networks and systems. The suite also includes 
features such as AutoUpdate, modular construction, and Active Security 
integration to provide product integrity. A Network Associates white 
paper on next-generation intrusion detection is available at 
http;//www.nai.com/active5ecurity/files/ids.doc. 

The above cited passages teach that the Serverwatch product creates a series of fictitious 
systems on a special server. However, nowhere does the advertisement state that the 
address of the special server is "not published to tlie plurality of client data processing 
systems." Simply creating a virtual device does not meaa that the address of the device, 
or the server on which the virtual device resides, is unknown to other, real servers and 
devices. It just means that the device is not a real, physical device. Thus, nowhere does 
ServerWatch teach or suggest the feature of 'Vhcrcin the address of the bait server is not 
published to the plurality of client data processing systems/* Therefore, the proposed 
combination does not result in the claimed irrvention. Accordingly, the Examiner has 
failed to state a prima facie case of obviousness. 

Claim 9 recites the feature of "wherein the network data processing system is 
configured to, once the offending system has been disinfected of the clieni, allow the 
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offending system to reconnect to the network data processing system." The Exanuner 
points to column. 5, lines 59-65, cited above, and column 21, lines 30-42, reproduced 
belowj as teaching this feature: 

If the user chooses to suspend the process, the method proceeds to Step B, 
m which that process, all parents or children of that process, and perhaps 
all other processes in meinOTy, arc scanned for known worms. Cleanup 
involves killing active worm processes (detennined by tracing the process 
tree), and deleting worm executables and auxiliary files firom storage 
media. Backup of files is not likely to be as necessary in this case, as ii is 
for viruses, since a worm typically does not alter other executables. 
However, r^toration of files may be necessary if the worm modifies 
scripts in order to invoke itself, or causes damage to other executable or 
data files. 

The two passages, cited above, teach eliminating the virus, or worm, once it has been 
detected. The Examiner fiirther states that "it is obvious to allow the disinfected system to 
be reconnected to the network after disinfection". However, as was discussed in regards 
to claim 1 above, Arnold does not teach disconnecting the offending computer from the 
network. Therefore, it follows that if Arnold does not teach disconnecting the infected 
system, it cannot teach reconnecting the system once it has been disinfected. Thus, 
Arnold does not teach the feature of "wherein the network data processing system is 
configured to, once the offending system has been disinfected of the client, allow the 
offending system to recormect to the network data processing system." Therefore, the 
proposed combmation does not result in the claimed invention. Accordingly, the 
Examiner has failed to state a prima facie case of obviousness. 

Claims 12, 22 and 32 recite the features of "receiving a reconnect request from 
the offending system" and "reconnecting the offending system to the network." Neither 
Arnold nor ServerWatch teach or suggest these features. The Examiner points to column 
24, lines 61-65 as teaching these features: 

The resulting disinfected file is then checked by running CHECKUP 
(Block B) and determining whether the checksum of the file matches the 
value it had prior to infection. If not, automatic or manual restoration of 
the original file can be attempted. 
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The above cited passage teaches verifying that the disinfected file has iodeed been 
disinfected. The Examiner further states that "it is inherent that the computer is 
reconnected to the network after the disinfection is verified." However, as was discussed 
above in regards to claims 1 and 9, Arnold does not teach disconnecting an infected 
computer from the network. Therefore, it follows that if Arnold does not teach 
disconnecting the infected system, it cannot teach receiving a request to reconnect the 
computer once it has been disinfected or reconnecting the computer once it has been 
disinfected. Thus, Arnold does not teach the features of "receiAdng a reconnect request 
from the offending system" or ^'reconnecting the offending system to the network/* 
Therefore, the proposed combination does not result in the claimed invention. 
Accordingly, tlie Examiner has failed to state a pHma facie case of obviousness. 

Therefore, the rejection of claims 1-10, 12, 20, 22, 30 and 32 under 35 U.S.C. § 
103 has been overcome. 

IL TJ.a,C, S 103. Obviousness, Claims 11, 21 anci 31 

The Examiner has rejected claims 11, 21 and 31 under 35 U.S.C. § 103 as being 
unpatentable over Arnold et al (5440723) in view of ServerWatch - Network Associates 
Ships CyberCop Sting in further view of Kim et al (6701440 Bl). This rejection is 
respectfully traversed. 

As to claims 1 1, 21, 31 ^ the OfEce Action states: 

With respect to Claim 1 1, all the limitation is met by the 
combination of Arnold et al and ServerWatch except for the following 
limitation. The limitation of "prior to disconnecting the offending system, 
notifying the offending system that it is infected with a virus" is met by 
Kim et al on column 3, hnes 45-47 and 54-61. 

It would have been obvious to one of ordinary skill in the ait to 
combine the teachings of Kim et al within the combination of Arnold et al 
and ServerWatch because quarantining the infected machine and then 
notifying it that is has been infected prevents further spread of the virus to 
the rest of the network. 

Office Action dated October 5, 2004, page 4. 
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The Arnold reference does not teach or suggest all the claim limitations in claims 
U, 21 and 31, as argued in the response to the rejection of claim 1 above. 

Furthermore, as argued in the response to the rejection of claim 1 above, 
ServerWatch does not cure the deficiencies in Arnold. 

Additionally, Kim does not cure the deficiencies of Arnold and ServerWatch. Kim 
docs not teach the feahires missing from Arnold and ServerWatch, including "ignores all 
further access requests by the offendmg system until receiving an indication that the 
offending system has been disinfected, and directs the local server to disconnect the 
offending system from the network data processing system," nor does the Examiner cite 
any portion of Kim that teaches these features. 

Thus, claims 1 1, 2 1 and 3 1 are patentable over the cited references because the 
combination of the Arnold reference with Serverwatch and Kim would not reach the 
presently claimed invention. The features relied upon as being taught in the Arnold 
reference are not taught ot suggested by that reference, as explained above. Neither 
ServerWatch nor Kim cures the deficiencies of Arnold. As a result, a combination of these 
references would not reach the claimed invention in claims 11,21 and 3 1 . 

In view of the above. Applicants submit that dependent claims 11, 21 and 31 are 
not taught or suggested by Arnold, Serverwatch, Kim or any combination thereof. Claims 
1 1, 21 and 3 1 are dependent claims depending on independent claims 10, 20 and 30. 
Applicants have already demonstrated claims 10, 20 and 30 to be in condition for 
allowance. Applicants respectfully submit that claims 1 1 , 21 and 31 are also allowable, at 
least by virtue of their dependency on. allowable claims. 

jl^erefore, the rejection of claims 11,21,31 under 35 U.S.C. § 103 has been 
overcome. 

m. 35 U.S,C, S 103, Obviousness, Claims 13. 23 and 33 

The Examiner has rejected claims 1 3, 23 and 33 under 35 U.S.C. § 103 as being 
unpatentable over Serverwatch - Network Associates Ships CyberCop Sting- 
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As to claims 13, 23, 33, the Office Action states: 

With respect to Claim 13. ServerWatch meets the limitation of 
"monitorins^^ within tlie bail server; and responsive to a chsmgc m one 
TZT^^^c^Z-^iihir. the bail server, notifying a local ser^-er that a 
^rSack U midervvay'' on pages 1 and 2. CyberCop notifies an 
iSsSor of intrusive activity. This admini^ator miist reside over a 

Q^^rv^erMrocessor to receive this message. 

U would have been obvious to one of ordinary skill m the art to 

respond to a change in one or more files within the bail server because this 

wSalcrt the a^ninistrator of an ongoing or potential attack withm the 

network. 

Office Action dated October 5. 2004, page 5. 

In order to expedite prosecution, claims 13, 23 and 33 have been cancelled. 
Therefore, the rejection of claims 13, 23 and 33 under 35 U.S.C. § 103 has been rendered 
moot. 

IV. 35 U.S.C. § T^^i Ohviousness. Claim s 14. 15. 24. 25. 34 md 35 

The Examiner has rejected claims 14, 15, 24, 25, 34 and 35 under 35 U.S.C. § 103 
as being unpatentable over Se^^^ematch - Network Associates Ships CyberCop Sting in 
view 

of Arnold etal (5440723). 
As to claims 14, 15, 24, 25, 34 and 35, the Office Action states: 

With respect to Claim 1 4, ServerWatch meets all the limitation 
except for the foUowing limitation. Arnold et al meets the limitation of 
"wherein the change in one or more of the files includes a change in byte 
si^e of the one or more of the files" on column 5, lines 14-16. 

It would have been obvious to one of ordinary skill in the art at the 
time the invention was made to combine the teachings of Arnold et al 
within the system of ServerWatch because a checksum of the file lo 
indicate that the file has been changed allows the system to know if the 
server has been iafected by a virus. 

Office Action dated October 5, 2004, page 5. 

In order to expedite prosecution, claims 14, 15, 24, 25, 34 and 35 have been 
cancelled. Therefore, the rejection of claims 14, 15, 24, 25. 34 and 35 under 35 U.S.C § 
1 03 has been rendered moot. 
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V. 1^ TT.S.C. S OhviousnMs. aaims 1* ^^°, '>^^'> "^'^ 36-39 

The Examiner has rejected claims 16-19, 26-29, and 36-39 under 35 U.S.C § 103 
as being unpatentable over Arnold et al (5440723). This rejection is respectfully 
traversed. 

As to claims 16-19, 26-29, 36-39, the Office Action states: 

With respect to Claim 16. Amold ct al meets the limitation of 
"monitoring a network for the presence of a computer virus" on column 2, 
lines 51-55- and "responsive to a dcteimination that a virus is detected, 
determining the identify of an offending system within the network from 
which the virus entered the network" on column 4, lines 61-66; and 
"directing the local server to disconnect the offending system from the 
network" on column 19, hnes 60-68, and on column 20, lines 1-3. 

It would have been obvious to one of ordinary skill in the art at the 
time of the invenfion to discomiect the infected computers from the 
network before the systems are cleaned up so as to prevent further spread 
of the virus. The "I'm infected" message sent by the infected system(s) 
has its identifying information as part of the message sent or else the 
recipient of this message would not know which computer in the network 
had sent this message and was infected. 

Office Action dated October 5, 2004, page 6-7. 

Independent claim 16, which is representative of independent claims 26 and 36 
with regard to similarly recited subject matter, recites: 

1 6. A method in a bait server for detecting the presence of a computer 
virus, the m ethod comprising: 

monitoring a network for the presence of a computer virus; 

responsive to a determination that a virus is detected, determining 
the identity of an offending system within the network from which the 
virus entered the network; and 

directing the local server to disconnect the offending system from 

the network. 

Tine Arnold reference does not teach or suggest all the claim limitations in claim 
16. Specifically, Arnold does not teach the feature of "directing the local server to 
disconnect the offending system &om the network." The Examiner points to column 19, 
line 60 through column 20, line 3 as teaching this feature. However, as was discussed 
above in the response to the rejection of claim 1, Arnold does not teach this feature. 
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Therefore, even in view of the Examiner's coinments, Arnold would not teach or suggest 
the presently claimed invention. Accordingly, the Examiner has failed to state apnma 
facie case of obviousness. 

Therefore, for all the reasons stated above, Applicants beheve that Arnold docs not 
teach all the features of independent claims 16, 26 and 36. AdditionaUy, for all the reasons 
stated above. Applicants believe that neither Arnold nor the Examiner's comments teach all 
the features of independent claims 16, 26 and 36- Therefore, even in view of the 
Examiner's comments, Arnold would not teach or suggest the claimed invention. 
Accordingly, the Examiner has failed to state a pHma facie case of obviousness. 
TJierefore. Applicants respectfully submit that claims 1 6, 26 and 36 are patentable over 
Arnold. 

Claims 1749, 27-29 and 37-39 are dependent claims that depend from 
independent claims 1 6, 26 and 36. As Applicants have already demonstrated that 
independent claims 16, 26 and 36 are patentable over Arnold and the combination of the 
Arnold and Servenvatch references. Applicants submit that dependent claims 17-19, 27- 
29 and 37-39 are patentable over Arnold and the combination of the Arnold and 
ServerWatch references at least by virtue of depending from an allowable claitn. 
Consequently, AppHcants respectfully submit that the rejection of claims 17-1.9, 27-29 
and 37-39 has been overcome. Additionally, several claims recite other additional 
combinations of features not suggested by Amold or the combination of Arnold and 
ServerWatch. 

For example, claims 1 7, 27 and 37 recite the feature of "instructing all devices 
within the networic to ignore all requests from the offending system until the offending 
system has been disinfected and is available for network communication." Amold does 
not teach this feature. The Examiner points to column 19, line 60 through column 20, Ime 
11, reproduced above, as teaching this feature. However, the above cited passage docs 
not teach this feature. As was discussed above in the response to the rejection of claim 1, 
Amold does not teach or suggest the feature of "ignores all further access requests by the 
offending system until receiving an indication that the offending system has been 
disinfected." Therefore, it follows that Amold does not teach the feature of "instructing 
all devices within the network to ignore all requests from the offending system until the 
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offending systercn has been disinfected and is available for network commnmcatioi)./' as 
recited in claixas 17, 27 and 37 of the present invention. Therefore, even in view of the 
Examincr^s comments, Arnold would not teach or suggest the presently claimed 
invention. Accordingly, the Examiner has failed to state a prima facie case of 
obviousness. 

Additionally, claims 19, 29 and 39 recite the feature of "responsive to an 
indication that the offending system has been disinfected and responsive to a reconnect 
request from the ofTending system, reconnecting the offending system to the network." 
Arnold does not teach this feature. The Examiner points to column 24, lines 61 through 
65, reproduced above, as teaching this feature. However, the above cited passage does 
not teach this feature. As was discussed above in the response to the rejection of claim 
12, Arnold does not teach or suggest "receiving a reconnect request from the offending 
system" or "reconnecting the offending system to the network." Therefore, it follows for 
the same reasons, that Arnold does not teach the feature of "responsive to an indication 
that the offending system has been disinfected and responsive to a reconnect request from 
the offending system, reconnecting the offending system to the network," as recited in 
claims 19, 29 and 39 of the present invention. Thus, Arnold does not teach each and 
every clement of claims 19, 29 and 39. Therefore, even in view of the Examiner's 
comments, Arnold would not teach or suggest the presently claimed invention. 
Accordingly, the Examiner has failed to state a prima facie case of obviousness. 

Therefore, the rejection of claims 16-19, 26-29, and 36-39 under 35 U.S.C. § 102 
and 35 U.S.C. § 1 03 has been overcome. 
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VI. Conclusion 

It is respectfully urged that the subject application is patentable over the cited 
references and is now in condition for allowance. 

The Examiner is invited to call the undersigned at the below-listed telephone 
number if in the opinion of the Examiner such a telephone conference would expedite or 
aid the prosecution and examination of this appUcation. 

DATE: TT^Uur^c S~ 7<}o ^ 




Respectfully submitted, 




Gerald H. Glanzman 
Reg. No. 25,035 
Yee 4& Associates, P.C. 
P.O. Box 802333 
Dallas, TX 75380 
(972) 385-8777 
Attorney for Applicants 



GHG/bj 
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